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Abstract — An LBS ( location based service ) provides 
services such as finding the nearest location , favourite 
entertainment areas etc, to the users based on either their 
residing area or based on the input the give. The services 
provided by a location based service are typically based 
on a point of interest database. Therefore retrieval of the 
data from the database server takes place. The work 
proposed is a novel protocol for location based queries 
that has major performance improvements, which is 
performed based on two stages- firstly, the user 
determining his/her location privately and secondly, the 
server protecting its data from unauthorized users for 
which they have not paid. This protocol enables security 
for the user's details as well as protects the server's data. 
The user is protected because the server is unable to 
determine his/her location. In the same way, the server’s 
data is protected as a malicious user can only decrypt the 
part of data obtained to the user with the encryption key 
acquired in the previous phase, that is he/she cannot 
decrypt the remaining server data that they are not 
supposed to authorise. In other words, users can never 
get the data more than what they have paid for. A phase 
called oblivious transfer phase is present so as to ensure 
the privacy of the user and a phase called private 
information retrieval phase is carried out to protect 
server’s data. 

Keywords — Location based service , Point of Interest 
database , oblivious transfer phase , Private information 
retrieval phase. 

I. INTRODUCTION 

A Location based service (LBS) is an information, 
entertainment and utility service generally accessible by 
mobile devices such as, mobile phones, GPS devices, 
pocket PCs, and operating through a mobile network. 
LBS can offer many services to the users based on the 
geographical position of their mobile device. The services 
provided by LBS are typically based on a point of interest 
database. By retrieving the Points Of Interest (POIs) from 
the database server, the user can get answers to various 
location based queries, which include but are not limited 


to - discovering the nearest ATM machine, gas station, 
hospital, or police station. In recent years there has been a 
dramatic increase in the number of mobile devices 
querying location servers for information about POIs. 
Among many challenging barriers to the wide deployment 
of such application, privacy assurance is a major issue. 
Lor instance, users may feel reluctant to disclose their 
locations to the LBS, because it may be possible for a 
location server to learn who is making a certain query by 
linking these locations with a residential phone book 
database, since users are likely to perform many queries 
from home. The Location Server (LS), which offers some 
LBS, spends its resources to compile information about 
various interesting POIs. Hence, it is expected that the LS 
would not disclose any information without fees. 
Therefore the LBS has to ensure that LS’s data is not 
accessed by any unauthorized user. During the process of 
transmission the users should not be allowed to discover 
any information for which they have not paid. It is thus 
crucial that solutions be devised that address the privacy 
of the users issuing queries, but also prevent users from 
accessing content to which they do not have 
authorization. 

The system model consists of three types of entities: the 
set of users who wish to access location data U, a mobile 
service provider SP, and a location server LS. 

The purpose of the mobile service provider SP is to 
establish and maintain the communication between the 
location server and the user. The location server LS owns 
a set of POI records q for l<ri <p. Each record describes a 
POI, giving GPS coordinates to its location (Xgp S , y gps ), 
and a description or name about what is at the location. 
We reasonably assume that the mobile service provider 
SP is a passive entity and is not allowed to collude with 
the LS. We make this assumption because the SP can 
determine the whereabouts of a mobile device, which, if 
allowed to collude with the LS, completely subverts any 
method for privacy. 
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II. LITERATURE SURVEY 

A preliminary investigation on the privacy issues 
involved in the use of location-based services. It is argued 
that even if the user identity is not explicitly released to 
the service provider, the geo-localized history of user- 
requests can act as a quasi-identifier and may be used to 
access sensitive information about specific individuals. 
Here it formally defines a framework to evaluate the risk 
in revealing a user identity via location information and 
presents preliminary ideas about algorithms to prevent 
this to happen. 

It has formally defined the problem of the personal 
identification of sensitive data in location-based services. 
We believe that the formal framework we have defined 
can be used for two very different purposes like, to 
enforce a certain level of privacy, possibly disabling the 
service when the level cannot be guaranteed, and to 
evaluate if the privacy policies that a location-based 
service guarantees are sufficient to deploy the service in a 
certain area. This may be achieved by considering, for 
example, the typical density of users, their movement 
patterns, their concerns about privacy, as well as the 
spatiotemporal tolerance constraints of the service and the 
presence of natural mix-zone in the area. While in this 
system we presented preliminary results about which we 
consider as another promising research direction. 
Regarding it we already pointed out several issues that 
deserve further investigation, including monitoring 
multiple LB Q IDs, efficient generalization algorithms and 
unlinking techniques. In addition, randomization should 
be used as part of the TS strategy to prevent inference 
attacks. Another interesting open issue regards user 
interfaces. On one side, very simple tools should be 
provided to define LBQ IDs and verify them based on 
statistical data. On the other side, simple and effective 
interfaces are needed to specify the level of anonymity 
required by the user, as well as to notify when 
identification is at risk. Graphical solutions, like the open 
and closed lock in an internet browser should be 
considered. 

The popularity of location-based services leads to serious 
concerns on user privacy. A common mechanism to 
protect users’ location and query privacy is spatial 
generalization. As more user information becomes 
available with the fast growth of Internet applications, 
e.g., social networks, attackers have the ability to 
construct users’ personal profiles. This gives rise to new 
challenges and reconsideration of the existing privacy 
metrics, such as k-anonymity. In this system , we propose 
new metrics to measure users’ query privacy taking into 
account user profiles. Furthermore, we design spatial 
generalization algorithms to compute regions satisfying 
users’ privacy requirements expressed in these metrics. 


By experimental results, our metrics and algorithms are 
shown to be effective and efficient for practical usage. 

In this system, we consider a powerful attacker who can 
obtain user profiles and has access to users’ real-time 
positions in the context of LBSs. Assuming this stronger 
attacker model, we propose new metrics to correctly 
measure users’ query privacy in LBSs, including k-ABS, 
a-USI, p-EBA and y-MIA. For information theory based 
metrics, the determination of users’ specified values is not 
intuitive. However, users can use other metrics as 
references. For instance, k-anonymity corresponds to log 
k-EBA when the distribution for users to issue a query is 
(close to) uniform. Special generalization algorithms are 
developed to compute regions satisfying user’s privacy 
requirements specified in the proposed metrics. Extensive 
experiments show our metrics are effective in balancing 
privacy and quality of service in LBSs and the algorithms 
are efficient to meet the requirement of real-time 
responses. Our metrics are not exhaustive, and there exist 
other ways to express query privacy. For instance, we can 
use min-entropy to express information leakage in a way 
analogous to mutual information: Ioo(X; Y) = Hoo(X) - 
Hoo(X I Y). Intuitively, it measure the amount of min- 
entropy reduced after the attacker has observed a 
generalized query. It is very interesting to study 
differential privacy to see how it can be adopted for LBS 
scenarios. In future, we want to develop an application for 
LBS, making use of the proposed metrics to protect users’ 
query privacy. This can lead us to a better understanding 
of privacy challenges in more realistic situations. The 
implementation of our algorithms can also be improved as 
well, e.g., using a better clustering algorithm for kABS. 
Another interesting direction is to study a stronger 
attacker model, where the attacker, for instance, can have 
access to mobility patterns of users. 

III. SYSTEM DESIGN 

In this system, we propose a novel protocol for location 
based queries that has major performance improvements 
with respect to the approach by Ghinita at el. And. Like 
such protocol, our protocol is organized according to two 
stages. In the first stage, the user privately determines 
his/her location within a public grid, using oblivious 
transfer. This data contains both the ID and associated 
symmetric key for the block of data in the private grid. In 
the second stage, the user executes a communicational 
efficient PIR, to retrieve the appropriate block in the 
private grid. This block is decrypted using the symmetric 
key obtained in the previous stage. 

Our protocol thus provides protection for both the user 
and the server. The user is protected because the server is 
unable to determine his/her location. Similarly, the 
server’s data is protected since a malicious user can only 
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decrypt the block of data obtained by PIR with the 
encryption key acquired in the previous stage. In other 
words, users cannot gain any more data than what they 
have paid for. We remark that this system is an 
enhancement of a previous work. 

Advantages of the system 

1. Redesigned the key structure. 

2. Added a formal security model. 

3. Implemented the solution on both a mobile 
device and desktop machine. 



The system model consists of three types of entities as in 
the figure: 

i) The set of users who wish to access location data. 

ii) The purpose of the mobile service provider is to 
establish and maintain the communication between 
the location server and the user. 

iii) The location server owns a set of point of interests 
(POI) records. Each record describes a POI, giving 
GPS coordinates to its location, and a description or 
name about what is at the location. 

IV. FRAME WORK MODULES 

There are four modules in the system designed. They are 
User initiation module, Oblivious transfer module, Private 
information retrieval and location server module. 

User initiation module 

The ultimate goal of our protocol is to obtain a set (block) 
of POI records from the LS, which are close to the user’s 
position, without compromising the privacy of the user or 
the data stored at the server. We achieve this by applying 
a two stage approach. The first stage is based on a two- 
dimensional oblivious transfer and the second stage is 
based on a communicationally efficient PIR. The 
oblivious transfer based protocol is used by the user to 
obtain the cell ID, where the user is located, and the 
corresponding symmetric key. The knowledge of the cell 
ID and the symmetric key is then used in the PIR based 
protocol to obtain and decrypt the location data. The user 
determines his/her location within a publicly generated 


grid P by using his/her GPS coordinates and forms an 
oblivious transfer query. The minimum dimensions of the 
public grid are defined by the server and are made 
available to all users of the system. This is implemented 
using user initiation algorithm, which is: 

Input: Xu,-, Jfrt.p, where X , 4 = 

Output: Yu,. .-T hji 

L: K,, } fiY; = Sj 1 , for 1 < i < a and 1 < j < m, 
where ft and C, aie randomly chosen 
l Yjj X, j 0 for 1 < i < pi and 1 < j < in, 

where H h a fast secure hash function 
3' return Yij, {Encryptions of .Vl.t JV m . n 
using ffjj} 

Fig. 2: User Initiation Algorithm 


Oblivious Transfer module 

The purpose of this module is for the user to obtain one 
and only one record from the cell in the public grid P, We 
achieve this by constructing a 2-dimensional oblivious 
transfer, based on the ElGamal oblivious transfer, using 
adaptive oblivious transfer proposed by Naoret al. We 
remark that this key structure of this form is an 
enhancement from, as the client doesn’t have access to 


the individual components of the key. 


This phase is implemented by using an algorithm called 
as oblivious transfer algorithm. It is as follows: 

Input: UseiU t j 
Output; Usck(/Dq ( ^kij) 

V. User (QG1) 

1 yi <- pf 1 , where yi is the public key for the row and 
is chosen at random 

3; V 2 4- $2 , where y -2 is the public key for the column 
and ^2 is chosen at random 


4: 

5: 

k 

7: 

8: 

9: 

10 : 

11: 

12 : 

13: 

14: 

IS: 

16: 

17: 

18: 

19: 

20 : 

21 : 


c 1 <-(4 t ,s l )=( 9 {‘,,r‘v ?) 

C t <-{A 2 ,B 2 ) = [g?,g; ) y?) 

Server <= C \ , Cj 

Server (RGI) 

C[ a <- for 1 < tt < n and 

r H = where s is chosen randomly 

C' ip *- for 1 < 0 < m and 

re = §2* where t is chosen randomly 
7<-sJ /r * rc 

User mi) 

Let (UiM = C| , and (U v ,V 2ii ) = C\ . 

tv , 11 
w 2 ^u-p 
VV, <- 

«- V 2 JV 2 

Reconstruct from X' i } 

return (IDQ^Xij) {Cell id of grid Q, with associ- 
ated cell key} 


Fig. 3: Oblivious Transfer Algorithm 
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Private Information Retrieval Module 

With the knowledge about which cells are contained in 
the private grid, and the knowledge of the key that 
encrypts the data in the cell, the user can initiate a private 
information retrieval protocol with the location server to 
acquire the encrypted POI data. Assuming the server has 
initialized the integer e, the user Ui and LS can engage in 
the following private information retrieval protocol using 
the ID Qi j , obtained from the execution of the previous 
protocol, as input. The ID Qi j allows the user to choose the 
associated prime number power 7ii, which in turn allows 
the user to query the server. 

This phase is implemented by using an algorithm called 
as private information retrieval algorithm. It is as 
follows: 

Input: User IDq %) 

Output: UserC, 

1: User (QG2) 

2: 7r 0 4- n xt where it x is chosen based on the value of 

3: Generate random group G and group element g, 
such that ;to divides the order of g 

*■ 9 <- l(j)l/*0 
5: ki-gi 
6: Server ^G,g 

7: Server (RC2) 

8: 9c <- 9 C 
9: User <= g c 
10: User (RR2) 

11: h t 4- g\ 

12: C, 4- log^K, where log /, is the discrete log base h 
13: return C x {The requested (encrypted) data} 

Fig A: Private Information Retrieval Algorithm 

Location Server Module 

The Location Server (LS), which offers some LBS, 
spends its resources to compile information about various 
interesting POIs. Hence, it is expected that the LS would 
not disclose any information without fees. Therefore the 
LBS have to ensure that LS’s data is not accessed by any 
unauthorized user. During the process of transmission the 
users should not be allowed to discover any information 
for which they have not paid. It is thus crucial that 
solutions be devised that address the privacy of the users 
issuing queries, but also prevent users from accessing 
content to which they do not have authorization. 

V. EXPERIMENTAL RESULTS 

Once the server application is run, the server side screen 
is starts and then the LBQ server needs to be run and then 
the LBQ server also starts. Once this is done the user can 
use his/her application. 

After starting the application, the user needs to login on 
the login page else he/she needs to register and then login. 
Then a search screen appears on the page where the 
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latitude and longitude values when given, displays the 
nearest places to the place given as input. The ouput of 
the nearest places looks like the below image: 



Fig. 5: Screen shot of output screen 


When the user clicks on the links of the places, the map of 
the place clicked is displayed on a new window. 




Fig. 6: Screen shot of map upon clicking the place 


This helps the user to know all the nearest point of 
interests, streets, lanes, roads, lakes etc. 

VI. CONCLUSION 

In this system we have presented a location based query 
solution that employs two protocols that enables a user to 
privately determine and acquire location data. The first 
step is for a user to privately determine his/her location 
using oblivious transfer on a public grid. The second step 
involves a private information retrieval interaction that 
retrieves the record with high communication efficiency. 
We analyzed the performance of our protocol and found it 
to be both computationally and communicationally more 
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efficient than which is the most recent solution. We 
implemented a software prototype using a desktop 
machine. The software prototype demonstrates that our 
protocol is within practical limits. 

VII. FUTURE ENHANCEMENT 

Future work will involve testing the protocol on many 
different mobile devices. Also, we need to reduce the 
overhead of the primality test used in the private 
information retrieval based protocol. Additionally, the 
problem concerning the LS supplying misleading data to 
the client is also interesting. Privacy preserving reputation 
techniques seem a suitable approach to address such 
problem. Once suitable strong solutions exist for the 
general case, they can be easily integrated into our 
approach. 
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